http://www.foreignpolicy.com/story/cms.php?story_id=3798
By Mikko Hypponen
May/June 2007
Online banking fraud is rampant because it's easy. Here's a fix that
will mean money in the bank.
Computer security is a complex issue, and there is no simple cure-all.
But one thing that continues to baffle me is the way we bank online.
Think about the Web address of your bank. It probably ends in one of the
common top-level domains: ".com" if you're in the United States, or,
depending on your home country, in something like ".uk," ".de," ".jp,"
or ".ru." Which is why Web sites with such names as
"bankofamerica-online.com," "lloydstsb-banking.com," "hsbc-login.com,"
or "paypalaccount.com" are so dangerous. They may look like the real
thing, but they're operated by criminals. And these rogue banking sites
are popping up every day. Hosted on Web sites with misleading names that
read like a real bank's Web address, the domains are registered with
fake contact information. These impostors then bombard consumers with
"phishing" e-mails, luring them to these sites, where their financial
information is stolen.
How does this happen? At the moment, anyone willing to pay the fee of $5
or so can register any domain name they want, as long as the name is not
already taken. So creating these look-alike pages is fast, easy, and
cheap.
Why do banks and other financial institutions operate under the public
top-level domains, like .com? The Internet Corporation for Assigned
Names and Numbers, the body that creates new top-level domains, should
create a new, secure domain just for this reason—something like ".bank,"
for example.
Registering new domains under such a top-level domain could then be
restricted to bona fide financial organizations. And the price for the
domain wouldn't be just a few dollars: It could be something like
$50,000—making it prohibitively expensive to most copycats. Banks would
love this. They would move their existing online banks under a more
secure domain in no time.
The creation of a new domain for a specific industry is not
unprecedented: We've already done it for museums, with their restricted
".museum" top-level domain. If we can manage to protect storehouses of
precious works of art from the Internet's most shameless thieves, surely
we can find a way to protect our money.
__________________________
Subscribe to InfoSec News
http://www.infosecnews.org